r/u_Level-Profile-7841

▲ 4 r/u_Level-Profile-7841+1 crossposts

SimpleLogin MTA-STS Policy Still Set to "Testing" After 5 Years

Over five years ago, I reached out to Proton regarding a security gap in SimpleLogin: the lack of MTA-STS enforcement. Without an enforced policy, mail servers are not mandated to use encrypted connections, leaving email traffic vulnerable to interception via man-in-the-middle (MITM) operations.

Initially, there was no policy in place. After multiple follow-ups, they implemented a "testing" mode policy roughly two years ago. However, a testing policy does not enforce encryption, meaning the traffic remains vulnerable to interception.

Fixing this requires changing the policy status from "testing" to "enforce."

Given how straightforward this configuration change is, why would a privacy-focused company knowingly and intentionally leave it in testing mode for years?

reddit.com
u/Level-Profile-7841 — 11 days ago